Install Pi-Hole in Docker on Firewalla Gold or Purple
This is a script for installing pi-hole container on Firewalla Gold or Purple. It is based on the Firewalla tutorial and has been tested on 1.974.
Notes
- Pi-hole runs fine on all Purple or Gold models. (see below)
- Understand that Firewalla and Pihole have some overlapping features which means you have two options:
- Set the Firewalla LAN DNS settings to point to pihole. Pihole will see only firewalla, not individiual devices. So that means you can't tweak pihole per device.
- Disable DNS Booster This will allow Pihole to see individual devices but will disable many firewalla features. Given the options, I strongly recommend the first. Some people may find this tradeoff unacceptable. There is another option. nextDNS can be used with the best of both worlds see my installer for using nextDNS with Fireawlla.
Assuming you want to go on with pihole, given the above:
- Firewalla uses pi-hole v5.1.2 in their example. I have set up the option for using the latest or Firewalla's default. You can choose when you install. I have had no issues installing or using the latest Pihole release.
- The Pi-hole password will be,
firewalla.
Installation
To install:
-
SSH into your Firewalla (learn how if you don't know how already.)
-
If you want regular pi-hole with the version Firewalla recommends, copy the line below and paste into the Firewalla shell and then hit enter.
curl -s -L -C- https://raw.githubusercontent.com/mbierman/pihole-installer-for-Firewalla/main/pihole_docker_install.sh | cat <(cat <(bash))If you want pi-hole with the latest pihole image, copy the line below instead and paste into the Firewalla shell and then hit enter.
curl -s -L -C- https://raw.githubusercontent.com/mbierman/pihole-installer-for-Firewalla/main/pihole_docker_install.sh | cat <(cat <(bash -s -- latest))If you want pi-hole with DoH, copy the line below instead and paste into the Firewalla shell and then hit enter.
curl -s -L -C- https://raw.githubusercontent.com/mbierman/pihole-installer-for-Firewalla/main/pihole_docker_install.sh | cat <(cat <(bash -s -- doh))-
Now go to the network settings on Firewalla App, assign
172.16.0.2as the primary DNS server for all networks that you want to enable Pi-Hole and disable DoH or Unbound on these networks.- Tap on Network Manager.
- Tap on the Top right edit button.
- Tap on each LAN or VLAN segment you want to use pi-hole on.
- Scroll down and change the primary DNS to
172.16.0.2. Leave the secondary DNS empty.
Testing
- After completing the steps above, you should be able to see DNS requests coming up in the pi-hole management console 172.16.0.2/admin.
- Try to block something obvious in pi-hole like facebook.com and try to reach it you should be blocked.
- If you go to browserleaks.com/dns you should see the upstream DNS servers you set in pi-hole if you are using unencrypted DNS.
Standard disclaimer: I can not be responsible for any issues that may result. Nothing in the script should in any way, affect firewalla as a router or comprimise security. Happy to answer questions though if I can. :)
Debugging Tips
Use the fillowing to debug. If you have any issues, please provide:
- Go to http://172.16.0.2/admin/ ? http://172.16.0.2 will not work.
- Get the logs. When SSH'd to Firewalla,
sudo docker logs pihole - Try
sudo docker inspect pihole | grep "IPAddress" - Try
sudo docker psyou hould get something like:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a5fe91e7a8ab pihole/pihole:latest "/s6-init" 11 minutes ago Up 11 minutes (healthy) 53/udp, 53/tcp, 80/tcp, 67/udp pihole - Try
sudo docker inspect pihole
Uninstalling
You can run this by copying this line and run it on firewalla to uninstall.
curl -s -L -C- https://raw.githubusercontent.com/mbierman/pihole-installer-for-Firewalla/main/uninstall_pihole.sh | cat <(cat <(bash))There are lots of pihole communities on Reddit. If you have pi-hole questions, please check there.